PawletOS/android_bootable_recovery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ext4crypt: support wrappedkey for FBE

Browse Source 
Qualcomm devices use a special `wrappedkey` mode for FBE. This is ported
from CAF
https://source.codeaurora.org/quic/la/platform/system/vold/commit/?h=LA.UM.7.8.r4-01000-SDM710.0&id=9229262d893a8592f7bc1b4e8a8dab7aad8df68c,
originally by folks at Mokee for vold
https://mokeedev.review/c/MoKee/android_system_vold/+/34102.

This patch ports the above changes to `ext4crypt`, which we can use in
recovery. Note that since we do not have `fs_mgr` in the recovery, we
cannot read the `wrappedkey` flag from fstab. Instead, similar to
`fbe.contents`, we use a special property `fbe.data.wrappedkey` to
indicate support for wrappedkey mode. Devices that need to use this
should set this property to `true` to activate corresponding code.

Change-Id: I79c2855d577156670b45c10c7c7b1fcd9fece8d9
This commit is contained in:
Peter Cai
2019-05-23 16:32:22 +08:00
committed by big biff
parent 69ab4a6000
commit 90edd2e867
8 changed files with 163 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
crypto/ext4crypt/KeyStorage4.cpp
View File

@@ -66,6 +66,7 @@ static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
static constexpr size_t STRETCHED_BYTES = 1 << 6;
static constexpr uint32_t AUTH_TIMEOUT = 30; // Seconds
constexpr int EXT4_AES_256_XTS_KEY_SIZE = 64;
static const char* kCurrentVersion = "1";
static const char* kRmPath = "/system/bin/rm";
@@ -131,6 +132,45 @@ static bool generateKeymasterKey(Keymaster& keymaster, const KeyAuthentication&
return keymaster.generateKey(paramBuilder, key);
}
bool generateWrappedKey(userid_t user_id, KeyType key_type,
KeyBuffer* key) {
Keymaster keymaster;
if (!keymaster) return false;
*key = KeyBuffer(EXT4_AES_256_XTS_KEY_SIZE);
std::string key_temp;
auto paramBuilder = km::AuthorizationSetBuilder()
.AesEncryptionKey(AES_KEY_BYTES * 8)
.GcmModeMinMacLen(GCM_MAC_BYTES * 8)
.Authorization(km::TAG_USER_ID, user_id);
km::KeyParameter param1;
param1.tag = (km::Tag) (android::hardware::keymaster::V4_0::KM_TAG_FBE_ICE);
param1.f.boolValue = true;
paramBuilder.push_back(param1);
km::KeyParameter param2;
if ((key_type == KeyType::DE_USER) || (key_type == KeyType::DE_SYS)) {
param2.tag = (km::Tag) (android::hardware::keymaster::V4_0::KM_TAG_KEY_TYPE);
param2.f.integer = 0;
} else if (key_type == KeyType::CE_USER) {
param2.tag = (km::Tag) (android::hardware::keymaster::V4_0::KM_TAG_KEY_TYPE);
param2.f.integer = 1;
}
paramBuilder.push_back(param2);
if (!keymaster.generateKey(paramBuilder, &key_temp)) return false;
*key = KeyBuffer(key_temp.size());
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
return true;
}
bool getEphemeralWrappedKey(km::KeyFormat format, KeyBuffer& kmKey, KeyBuffer* key) {
std::string key_temp;
Keymaster keymaster;
if (!keymaster) return false;
if (!keymaster.exportKey(format, kmKey, "!", "!", &key_temp)) return false;
*key = KeyBuffer(key_temp.size());
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
return true;
}
static std::pair<km::AuthorizationSet, km::HardwareAuthToken> beginParams(
const KeyAuthentication& auth, const std::string& appId) {
auto paramBuilder = km::AuthorizationSetBuilder()